@zhijiewang/openharness 2.32.0 → 2.33.0

package/dist/harness/config.d.ts

@@ -214,6 +214,34 @@ export type OhConfig = {
         rateLimit?: number;
         allowedTools?: string[];
     };
+    /**
+     * Opt-in OS-level sandbox via `@anthropic-ai/sandbox-runtime` (an optional
+     * dependency). When `enabled: true`, BashTool wraps every command in
+     * bubblewrap (Linux) or sandbox-exec (macOS) plus a domain-allowlist
+     * network proxy. Windows isn't supported by the package — the wrap is a
+     * silent passthrough there. Off by default; users opt in via config or the
+     * `--sandbox` CLI flag.
+     *
+     * `network.allowedDomains` is the proxy allowlist (e.g. `["github.com",
+     * "registry.npmjs.org"]`); `deniedDomains` blocks specific hosts before
+     * the allowlist applies. `filesystem.allowWrite` defaults to `[cwd]` —
+     * the sandbox can write to the project tree but nowhere else.
+     *
+     * See `src/harness/sandbox-runtime.ts` and SECURITY.md for the full
+     * threat-model boundary.
+     */
+    sandbox?: {
+        enabled?: boolean;
+        network?: {
+            allowedDomains?: string[];
+            deniedDomains?: string[];
+        };
+        filesystem?: {
+            allowWrite?: string[];
+            denyWrite?: string[];
+            denyRead?: string[];
+        };
+    };
     /**
      * Environment variables injected into child processes spawned by the harness —
      * Bash/Monitor/PowerShell tool executions and MCP server subprocesses. Useful

package/dist/harness/sandbox-runtime.d.ts

@@ -0,0 +1,47 @@
+/**
+ * OS-level sandbox integration via the optional `@anthropic-ai/sandbox-runtime`
+ * package. The package wraps a shell command in bubblewrap (Linux) or
+ * sandbox-exec (macOS) plus a network proxy that filters by domain allowlist.
+ *
+ * Boundaries:
+ * - **Linux + macOS**: real sandboxing via the package's static API.
+ * - **Windows**: not supported by the package — every wrap call returns null
+ *   (graceful passthrough; tools spawn unsandboxed). Documented in SECURITY.md.
+ * - **Package not installed**: same passthrough behavior — installs cleanly
+ *   without the optional dep on any platform.
+ *
+ * Lifecycle:
+ * - Initialized once per process on the first wrap request.
+ * - One `SandboxManager.initialize` covers all subsequent wrap calls.
+ * - No reset — the package documents auto-cleanup on process exit.
+ *
+ * Opt-in: callers pass `{ enabled: true }` (typically derived from
+ * `OhConfig.sandbox.enabled` or the `--sandbox` CLI flag). The default is
+ * off so existing users see no behavior change.
+ */
+import type { OhConfig } from "./config.js";
+export type SandboxConfig = NonNullable<OhConfig["sandbox"]>;
+/**
+ * Returns true on Linux/macOS where sandboxing is supported. Windows is
+ * unsupported by the underlying package, so we short-circuit there to avoid
+ * a misleading "tried to load and failed" log.
+ */
+export declare function isSandboxAvailable(): boolean;
+/**
+ * Wrap a shell command for sandboxed execution.
+ *
+ * Returns the wrapped command (a single shell string suitable for
+ * `spawn(cmd, { shell: "/bin/bash" })`) when sandboxing is enabled and
+ * available. Returns null in every other case — Windows, missing package,
+ * disabled config, init failure — so the caller falls through to the
+ * unsandboxed code path unchanged.
+ */
+export declare function wrapForSandbox(command: string, config: SandboxConfig): Promise<string | null>;
+/**
+ * Test-only: reset the cached init promise so unit tests can re-init with
+ * different configs.
+ *
+ * @internal
+ */
+export declare function _resetSandboxForTest(): void;
+//# sourceMappingURL=sandbox-runtime.d.ts.map

package/dist/harness/sandbox-runtime.js

@@ -0,0 +1,100 @@
+/**
+ * OS-level sandbox integration via the optional `@anthropic-ai/sandbox-runtime`
+ * package. The package wraps a shell command in bubblewrap (Linux) or
+ * sandbox-exec (macOS) plus a network proxy that filters by domain allowlist.
+ *
+ * Boundaries:
+ * - **Linux + macOS**: real sandboxing via the package's static API.
+ * - **Windows**: not supported by the package — every wrap call returns null
+ *   (graceful passthrough; tools spawn unsandboxed). Documented in SECURITY.md.
+ * - **Package not installed**: same passthrough behavior — installs cleanly
+ *   without the optional dep on any platform.
+ *
+ * Lifecycle:
+ * - Initialized once per process on the first wrap request.
+ * - One `SandboxManager.initialize` covers all subsequent wrap calls.
+ * - No reset — the package documents auto-cleanup on process exit.
+ *
+ * Opt-in: callers pass `{ enabled: true }` (typically derived from
+ * `OhConfig.sandbox.enabled` or the `--sandbox` CLI flag). The default is
+ * off so existing users see no behavior change.
+ */
+// Cached, lazy-initialized handle. We deliberately don't expose this — callers
+// only see `wrapForSandbox` / `isSandboxAvailable` / `resetSandboxForTest`.
+let _initPromise = null;
+/**
+ * Returns true on Linux/macOS where sandboxing is supported. Windows is
+ * unsupported by the underlying package, so we short-circuit there to avoid
+ * a misleading "tried to load and failed" log.
+ */
+export function isSandboxAvailable() {
+    return process.platform === "linux" || process.platform === "darwin";
+}
+async function loadAndInitialize(config) {
+    if (!isSandboxAvailable())
+        return null;
+    let mod;
+    try {
+        mod = (await import("@anthropic-ai/sandbox-runtime"));
+    }
+    catch {
+        // Optional dep not installed — graceful passthrough.
+        return null;
+    }
+    try {
+        await mod.SandboxManager.initialize({
+            network: {
+                allowedDomains: config.network?.allowedDomains ?? [],
+                deniedDomains: config.network?.deniedDomains ?? [],
+            },
+            filesystem: {
+                allowWrite: config.filesystem?.allowWrite ?? [process.cwd()],
+                denyWrite: config.filesystem?.denyWrite ?? [],
+                denyRead: config.filesystem?.denyRead ?? [],
+            },
+        });
+    }
+    catch {
+        // Init can fail when bubblewrap / sandbox-exec aren't installed, or when
+        // the user's profile rejects the proxy ports. Falling back to passthrough
+        // is correct — opting in promised "use sandbox if you can," not "fail
+        // closed" — that's a separate `requireSandbox` mode for a future revision.
+        return null;
+    }
+    return mod;
+}
+/**
+ * Wrap a shell command for sandboxed execution.
+ *
+ * Returns the wrapped command (a single shell string suitable for
+ * `spawn(cmd, { shell: "/bin/bash" })`) when sandboxing is enabled and
+ * available. Returns null in every other case — Windows, missing package,
+ * disabled config, init failure — so the caller falls through to the
+ * unsandboxed code path unchanged.
+ */
+export async function wrapForSandbox(command, config) {
+    if (!config.enabled)
+        return null;
+    if (!_initPromise) {
+        _initPromise = loadAndInitialize(config);
+    }
+    const mod = await _initPromise;
+    if (!mod)
+        return null;
+    try {
+        return await mod.SandboxManager.wrapWithSandbox(command);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Test-only: reset the cached init promise so unit tests can re-init with
+ * different configs.
+ *
+ * @internal
+ */
+export function _resetSandboxForTest() {
+    _initPromise = null;
+}
+//# sourceMappingURL=sandbox-runtime.js.map

package/dist/tools/BashTool/index.js

@@ -1,5 +1,7 @@
 import { spawn } from "node:child_process";
 import { z } from "zod";
+import { readOhConfig } from "../../harness/config.js";
+import { wrapForSandbox } from "../../harness/sandbox-runtime.js";
 import { safeEnv } from "../../utils/safe-env.js";
 const inputSchema = z.object({
     command: z.string(),
@@ -21,12 +23,30 @@ export const BashTool = {
     isConcurrencySafe() {
         return false;
     },
-    call(input, context) {
+    async call(input, context) {
         // input.timeout is in seconds; convert to ms. Default 120s.
         const timeoutMs = Math.min((input.timeout ?? 120) * 1000, MAX_TIMEOUT);
         const isWin = process.platform === "win32";
-        const shell = isWin ? "cmd.exe" : "/bin/bash";
-        const shellArgs = isWin ? ["/c", input.command] : ["-c", input.command];
+        // Optional OS-level sandbox via @anthropic-ai/sandbox-runtime. Returns null
+        // when disabled / on Windows / when the optional dep isn't installed —
+        // caller falls back to the existing unsandboxed spawn unchanged.
+        const sandboxCfg = readOhConfig()?.sandbox;
+        const wrappedCommand = sandboxCfg ? await wrapForSandbox(input.command, sandboxCfg) : null;
+        let shell;
+        let shellArgs;
+        let extraSpawnOpts = {};
+        if (wrappedCommand) {
+            // sandbox-runtime returns a shell-string. Pin the shell to /bin/bash so
+            // the surrounding command syntax (heredocs, $((...)) etc.) keeps working
+            // — `shell: true` would default to /bin/sh on Linux.
+            shell = wrappedCommand;
+            shellArgs = [];
+            extraSpawnOpts = { shell: "/bin/bash" };
+        }
+        else {
+            shell = isWin ? "cmd.exe" : "/bin/bash";
+            shellArgs = isWin ? ["/c", input.command] : ["-c", input.command];
+        }
         // Background execution: spawn and return immediately
         if (input.run_in_background) {
             const bgId = Date.now().toString(36) + Math.random().toString(36).slice(2, 6);
@@ -35,9 +55,13 @@ export const BashTool = {
                 env: safeEnv(),
                 stdio: ["ignore", "pipe", "pipe"],
                 detached: false,
+                ...extraSpawnOpts,
             });
             let stdout = "";
             let stderr = "";
+            // stdio is fixed to ["ignore", "pipe", "pipe"] above, so stdout/stderr
+            // are always streams. Adding `...extraSpawnOpts` widens the spawn
+            // overload's return type to potentially-null pipes; assert non-null.
             proc.stdout.on("data", (chunk) => {
                 stdout += chunk.toString();
             });
@@ -76,11 +100,15 @@ export const BashTool = {
                 cwd: context.workingDir,
                 env: safeEnv(),
                 stdio: ["ignore", "pipe", "pipe"],
+                ...extraSpawnOpts,
             });
             const timer = setTimeout(() => {
                 killed = true;
                 proc.kill("SIGTERM");
             }, timeoutMs);
+            // stdio: ["ignore", "pipe", "pipe"] is set above — pipes are always
+            // present here; the spread of extraSpawnOpts just widens the return
+            // type. Non-null asserts are safe.
             proc.stdout.on("data", (chunk) => {
                 const text = chunk.toString();
                 stdout += text;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zhijiewang/openharness",
-  "version": "2.32.0",
+  "version": "2.33.0",
   "description": "Open-source terminal coding agent. Works with any LLM.",
   "type": "module",
   "bin": {
@@ -91,6 +91,7 @@
   },
   "homepage": "https://github.com/zhijiewong/openharness#readme",
   "optionalDependencies": {
+    "@anthropic-ai/sandbox-runtime": "^0.0.49",
     "@napi-rs/keyring": "^1.2.0",
     "sharp": "^0.34.5"
   }